ISO 27002:2022 Clause 7 Physical Controls Guide
ISO/IEC 27002:2022 Clause 7 (ISO/IEC 27001:2022 Annex A.7) covers the measures an organization must implement to protect its physical environment and assets.
It consists of 14 specific physical security controls designed to prevent unauthorized access, damage, or interference to facilities, equipment, and information.
Navigate
ISO/IEC 27001
Templates & Tools
Understanding ISO 27001 Clause 7 Physical Controls
ISO 27001:2022 groups its 93 Annex A controls into four themes: organizational, people, physical, and technological.
Clause 7 focuses on Physical Controls – 14 measures designed to protect tangible assets and locations where sensitive information is stored or processed.
These controls address everything from securing buildings and equipment to managing environmental threats.
Clause 7 ensures that your offices, data centers, and other facilities are safeguarded against unauthorized entry, theft, vandalism, natural disasters, and other physical risks.
Effective physical controls work in tandem with technical and administrative controls to create a robust, holistic ISMS.
Control 7.1 Physical Security Perimeters
Control 7.1 requires establishing physical security perimeters to secure the areas where sensitive information and critical assets reside.
A security perimeter is the boundary that protects a facility or zone – it could be an outer fence, the walls of a building, or the locked doors to a secure office.
Clearly defined perimeters deter and delay intruders, serving as the first line of defense against unauthorized physical access.
Implementation Best Practices
Organizations should identify all sensitive or restricted areas and implement appropriate barriers around them.
This may include fencing and gates around a campus, locked exterior doors, security vestibules, or even mantraps (two-door entry systems) for high-security areas. Ensure there are perimeter alarms or CCTV cameras monitoring the outer entrances – for example, installing cameras along the fence line or at building entrances to detect intruders and alert security personnel.
If your building is directly on a public street (no outer fence), the building’s exterior itself is the perimeter; in this case, reinforced doors, alarmed windows, and surveillance on entrances are key. Clearly mark secure zones with signage (e.g. “Authorized Personnel Only”) to warn against trespassing.
Control 7.1 – Physical security perimeters: To learn more about defining and enforcing physical security boundaries, visit our dedicated Physical Security Perimeters page for a more detailed guide.
Control 7.2 Physical Entry Controls
Control 7.2 focuses on controlling entry points to secure areas. Even with strong perimeters, you must manage how doors, gates, and other access points are opened and by whom.
The goal is to ensure only authorized personnel and visitors enter secure premises, and to log or monitor their entry. Effective entry controls prevent tailgating (an unauthorized person slipping in behind an authorized person) and social engineering attacks at entry points.
Implementation Best Practices
Use authentication measures at all entry points to verify identity.
Common solutions include electronic keycard or fob systems, PIN pads, or biometric readers (fingerprint, face recognition) on doors. All employees should have unique ID badges or access cards, configured to allow entry only to areas they need.
Set up a visitor management process: require visitors to sign in (physical log book or digital system), issue them temporary badges, and ensure they are escorted by authorized staff. It’s wise to train staff to challenge unfamiliar faces – e.g. if someone they don’t recognize is not wearing a badge.
Also, consider anti-tailgating doors or turnstiles that allow only one person at a time.An access control system should record entries (who, when, where) for audit purposes.
Control 7.2 – Physical entry controls: For further details on controlling who enters secure areas (e.g., badges, biometrics, visitor processes), see our Physical Entry Controls page where this control is explained in greater depth.
Control 7.3 Securing Offices, Rooms and Facilities
Control 7.3 extends the concept of physical security inside the building, emphasizing that all offices, rooms, and facilities that contain sensitive information or assets should be secured. Even within a secured perimeter, not every room should be freely accessible to all staff. For instance, server rooms, records archives, or labs may need extra protection. The purpose is to prevent unauthorized access or activity inside sensitive areas and to ensure that even unused spaces aren’t exploited for illicit purposes.
Implementation Best Practices
Identify which rooms or areas in your organization are considered “secure areas” – typically any space where classified or sensitive operations occur (e.g., IT server rooms, finance file storage, executive offices, etc.). Implement access controls at the room level: this can be as simple as lock-and-key for a storage room, or as complex as badge readers and alarms on a server room door. Develop procedures for checking unused rooms; for example, facility staff might routinely inspect that unused offices or meeting rooms remain locked and have not been tampered with. For areas handling highly confidential work, consider additional safeguards like soundproofing or covered windows to prevent eavesdropping or visual spying. It’s also important to control who has keys or access rights to each room and to review those rights periodically.
Control 7.3 – Securing offices, rooms and facilities: To learn more about protecting offices, rooms, and sensitive facilities with layered physical safeguards, check out our Securing Offices, Rooms and Facilities page for practical guidance.
Control 7.4 Physical Security Monitoring
Control 7.4 is about monitoring your premises and secure areas to detect and respond to security events. This includes surveillance systems (like CCTV cameras) and alarm systems for intrusion or environmental hazards. The purpose is twofold: deter potential intruders (knowing they are being watched) and quickly detect unauthorized access or incidents in progress. Monitoring also covers safety systems – e.g., smoke detectors monitoring for fire – because environmental incidents can threaten information and operations too. This control was newly introduced in the 2022 update, underscoring the importance of continuous surveillance in modern security.
Implementation Best Practices
Install CCTV cameras at strategic locations: building entrances, corridors leading to sensitive areas, server rooms, parking lots, etc. Ensure cameras have adequate coverage (no blind spots in critical areas) and that footage is recorded and retained for a defined period for review/investigation. Use cameras with tamper detection and consider off-site storage of footage for redundancy. If appropriate, employ security guards or an alarm monitoring service – have clear guard patrol routes and incident response procedures. Equally important, deploy environmental monitoring: smoke and heat detectors, water leak sensors (especially in server rooms), and alarms for any condition that could endanger the equipment (e.g., temperature/humidity alarms if A/C fails). Tie these into an alerting system so that responsible personnel get immediate notifications. Be mindful of privacy laws when using surveillance (especially in areas where employees work); only monitor what’s necessary and secure the footage access to authorized staff.
Control 7.4 – Physical security monitoring: For a deeper dive into CCTV, alarms, access logs, and monitoring practices that support this control.
Control 7.5 Protecting Against Physical and Environmental Threats
Control 7.5 mandates that organizations assess and mitigate risks from physical threats and environmental events. This means thinking beyond intentional intruders – consider natural disasters (fire, flood, earthquakes, storms) and other environmental hazards, as well as crime risks in your area. The purpose is to ensure that appropriate protective measures (equipment, plans, procedures) are in place to handle these situations and minimize damage to information assets. In essence, this control is about resilience against worst-case scenarios in the physical world.
Implementation Best Practices
Start with a physical risk assessment of each site. Identify relevant threats: e.g., is the facility in a high-crime neighborhood? In a floodplain or earthquake zone? Near a factory that could cause industrial accidents? For each significant threat, implement controls to mitigate it:
- For crime/vandalism risks: strengthen building security with alarm systems, outdoor security lighting, reinforced doors/windows, CCTV coverage, possibly 24-hour security patrols.
- For fire risks: install fire detection and suppression systems (smoke/heat detectors, fire alarms, sprinklers or gas suppression in server areas), and maintain fire extinguishers. Regularly conduct fire drills and ensure emergency exits are accessible.
- For natural disasters: if in earthquake-prone areas, use seismic bracing for equipment (e.g., server racks bolted to floor). In flood-prone regions, keep critical equipment off ground level or install flood barriers. For storms, secure roof-mounted equipment and have plans for window protection.
- Create and practice emergency response procedures for these events. For example, have an evacuation plan for fires, a shelter plan for tornadoes, and a recovery plan for after a disaster (this overlaps with business continuity planning).
- Keep maintenance records for all safety equipment (alarms, extinguishers). Auditors will expect to see that things like fire alarms and generators are tested regularly.
Control 7.5 – Protecting against physical and environmental threats: To learn more about managing risks like fire, flood, power loss, and other environmental threats.
Control 7.6 Working in Secure Areas
Control 7.6 deals with the policies and procedures for personnel working in or visiting secure areas. A secure area is any location behind a security control (such as a locked door) where sensitive information or critical operations occur. This control recognizes that even authorized individuals inside a secure area can introduce risks if they behave inappropriately. The purpose is to define acceptable behavior and precautions within secure zones to prevent data leakage or security incidents from within. It covers things like escorting visitors, rules on what items can be brought in or taken out, and how to act during emergencies in those areas.
Implementation Best Practices
Develop a physical security policy or specific procedures that outline how to operate in secure areas. Key points often include:
- Visitor handling: Visitors to secure areas (e.g. contractors, maintenance) should be limited and always escorted. Keep a log of who is in the secure area and when.
- Personal belongings: Consider restrictions such as no personal phones, cameras, or USB drives in highly sensitive areas (to prevent covert recording or data removal). Some organizations require leaving bags/coats outside or inspecting them upon exit.
- Clear desk/clean area practices: In secure offices, ensure sensitive documents are not left out (ties into clear desk control 7.7). Also, screens in secure areas should be locked when unattended, even if the area itself is locked, to add another layer.
- Two-person rule or lone worker rule: For very sensitive operations (e.g., accessing a cash vault or a top-secret lab), you might require two authorized people present at the same time. Conversely, if lone work is allowed (like an employee alone in a server room after hours), have a check-in/check-out or monitoring procedure for safety.
- Emergency procedures: Define what to do if evacuation is needed from a secure area (ensuring doors lock behind people, etc.) and how re-entry is controlled afterward.
Train employees on these rules so that working in a secure area becomes second nature. Post signage as reminders (e.g., signs that say “Secure Area – No Photography, Badge Must Be Worn at All Times”). Cyberzoni can assist in developing secure area policies tailored to your facility, ensuring all necessary behaviors and restrictions are covered.
Control 7.6 – Working in secure areas: For further guidance on rules, procedures, and operational discipline inside secure zones, see our Working in Secure Areas page where we cover this control extensively.
Control 7.7 Clear Desk and Clear Screen Policy
Control 7.7 requires organizations to implement a clear desk and clear screen policy. The purpose is to ensure that sensitive information (on paper or on screens) is not left exposed when unattended. A “clear desk” means employees put away all confidential documents, notes, or portable storage media when they are not at their workstation (especially at the end of the day). “Clear screen” means locking your computer screen whenever you step away. This control is important for preventing opportunistic viewing or theft of information – an unauthorized visitor or even a colleague should not be able to glean sensitive data from papers left out or an unlocked computer. Auditors often view clear desk/screen as a strong indicator of an organization’s security culture.
Implementation Best Practices
Draft a clear desk & screen policy and communicate it to all staff. Key points include:
- Employees must log off or lock their computers (e.g., Ctrl+Alt+Del or Windows+L) whenever leaving them unattended, even for a short break.
- At the end of the workday (or when leaving the office), all sensitive papers should be removed from desks and secured in locked drawers or cabinets. No Post-it notes with passwords, no confidential files left out.
- Clean desk checks: Some companies do random after-hours checks or morning walkthroughs to verify compliance – finding a paper with confidential info left out would be a policy violation that gets reported.
- Extend this to other output devices: employees should pick up prints immediately from shared printers, and no sensitive printouts should be left uncollected. Similarly, fax machines or copiers shouldn’t have sensitive originals sitting on them.
- Provide the means to comply: ensure there are lockable cabinets or shredders available so employees can properly secure or dispose of documents.
Control 7.7 – Clear desk and clear screen: To learn more about preventing visual data exposure and reducing opportunistic information leakage.
Control 7.8 Equipment Siting and Protection
Control 7.8 involves the proper placement and protection of equipment (servers, computers, network devices, etc.) to minimize risks of unauthorized viewing, access, or damage. “Siting” refers to where you position equipment, taking into account physical safety and security. The goal is to prevent someone from easily observing or tampering with equipment and to protect equipment from environmental hazards. This control recognizes that even if data is secured digitally, someone looking over a shoulder or physically interfering with a device can compromise information.
Implementation Best Practices
Conduct a review of all critical equipment locations:
- Screen positioning: Ensure monitors are not facing public areas or exterior windows where outsiders could read information. If there are windows, use blinds, frosted glass, or privacy filters on screens. In reception areas or open offices, position screens away from visitor view.
- Secure mounting: Physically secure equipment to prevent theft or movement. For instance, use locking cables for laptops in public kiosks or open labs, lock servers into racks, and bolt the racks to the floor. Use lockable cases or enclosures for networking gear that might be in less secure areas.
- Environment: Place sensitive equipment in locations with appropriate climate control and power. For example, servers and network hubs should be in a dedicated server room or closet with cooling, rather than out on a desk where they could overheat or be accidentally unplugged. Avoid placing equipment under sprinklers or in areas prone to leaks unless adequately protected.
- Protect from damage: Keep food and liquids away from critical equipment to avoid spills. In warehouses or factories, protect devices from dust or forklift traffic (maybe using cages).
- Regularly inspect the site for any equipment that might be inadvertently placed in vulnerable positions (e.g., a router sitting under an employee’s desk where a visitor could plug into it). Proactively re-site equipment if needed.
Control 7.8 – Equipment siting and protection: For more detail on placing and protecting equipment to reduce theft, tampering, and environmental risk.
Control 7.9 Security of Assets Off-Premises
Control 7.9 addresses the security of organizational assets that are used or stored outside of the physical premises.
With remote work, travel, and off-site storage common today, this control is vital. It ensures that laptops, mobile devices, paper files, or any sensitive materials taken off-site are adequately protected against loss, theft, or unauthorized access.
The purpose is to extend your security controls beyond the office walls, recognizing that threats exist wherever the asset goes.
Implementation Best Practices
Develop clear policies and guidelines for using and protecting company assets off-site:
- Laptops & Mobile Devices: Require strong authentication (e.g., full disk encryption and password/PIN) on all portable devices. If a laptop is stolen but encrypted, the data remains safe. Consider remote wipe capabilities for mobile devices. Also, keep device inventories – who has which asset – so lost items are noticed and addressed.
- User Awareness: Train employees never to leave devices unattended in public places. For example, laptops should not be left visible in a car or checked in luggage – always carry them or lock them in a secure place. Teach them to be cautious using devices in public (e.g., watch out for shoulder surfers when working on a plane).
- Off-site work locations: If employees work from home, advise or provide them with security tools: a locking drawer or safe for files and laptops, a privacy screen if they work near windows, and possibly a cable lock for the laptop at home. Ensure they secure their home Wi-Fi or use a company VPN for network security.
- Asset Tracking: Implement check-out procedures for equipment leaving premises. For example, if someone takes a hard drive or a prototype device off-site, log it and have them confirm responsibility. If using off-site storage (like a warehouse or safe deposit for backup tapes), ensure that facility has proper controls and that items are securely transported.
- Insurance & Response: As a contingency, having insurance for equipment and incident response plans (e.g., if a laptop with PII is stolen, what steps to take) is wise.
Control 7.9 – Security of assets off-premises: To learn more about securing laptops, devices, and sensitive assets outside company premises (travel, remote work, off-site storage).
Control 7.10 Storage Media Security
Control 7.10 focuses on the management and security of storage media (USB flash drives, external hard drives, backup tapes, DVDs, etc.). Improper use of portable storage media can lead to data loss or leaks – these items are small and easily misplaced or stolen. The purpose of this control is to ensure that any use of storage media is authorized and secure, and that media is handled in a way that protects the information it contains throughout its lifecycle (from creation to transportation to disposal).
Implementation Best Practices
A comprehensive approach to storage media security includes:
- Usage Policies: Decide if your organization will even allow USB drives or other removable media. Many modern security policies forbid uncontrolled use of USB drives due to malware and leak risks. If not needed, one approach is to technically disable USB ports on company computers or allow only approved, encrypted devices. If media use is allowed, strictly control what types and for what purposes.
- Encryption: Require that any sensitive data on portable media be encrypted. For example, if someone must put files on a USB stick to transfer, that USB should have encryption software or be a hardware-encrypted device. This way, if it’s lost, the data isn’t readily accessible.
- Handling Practices: Emphasize that removable media is for transfer, not storage. Users should not keep the only copy of important info on a USB drive long-term. After transferring data, they should delete it from the device (and ideally securely wipe it). Also, limit the data volume on media – large dumps of data on a portable drive pose big risks.
- Inventory and Labeling: Keep an inventory of official storage media (especially backup tapes or drives). Label them clearly and track who has them. If a backup tape is sent off-site, record that. This ties into disposal control (7.14) when media are retired.
- Malware Scans: If media from outside (e.g., a client gives you a USB drive) must be used, have procedures to scan it on an isolated system for malware before connecting to the network.
- Physical Protection: Just like laptops, media should not be left lying around. Provide locked drawers or safes for any sensitive media. During transport (say, sending backup tapes to off-site storage), use secure courier services and tamper-evident packaging.
Control 7.10 – Storage media: For further details on securing removable media and physical storage (USBs, backup drives, tapes), visit our Storage Media Security page where we explore this control in greater depth.
Control 7.11 Supporting Utilities
Control 7.11 is about ensuring the reliability and security of supporting utilities that service your critical environments. Supporting utilities include electricity, water, heating/ventilation/air conditioning (HVAC), and telecommunications/connectivity. The rationale is that if any of these fail, they could compromise information security or operations. For example, a power outage could bring down servers (affecting availability) or disable electronic door locks and CCTV (affecting security monitoring). This control’s purpose is to put safeguards and redundancies in place so that a utility failure does not lead to a security failure.
Implementation Best Practices
Evaluate your infrastructure and consider:
- Power continuity: Install Uninterruptible Power Supplies (UPS) for servers, network gear, and security systems (like alarm panels). UPS units provide battery backup to keep equipment running during short outages or until generators kick in. For longer outages, have an emergency generator if the business need is critical (common for data centers or 24/7 operations). Test the generator regularly and ensure fuel supply.
- Redundant connections: For telecom/internet, if your business can’t tolerate downtime, consider a backup internet line (possibly from a different provider) that can take over if the primary fails. Similarly, having redundant phone lines or cell backup for alarms is good (so an intruder can’t just cut one line to disable alarms).
- HVAC and water: Ensure server rooms have dedicated cooling. If the building’s cooling fails, have portable AC or plans to shut down equipment gracefully to avoid overheating. Water supply can be critical for cooling in large data centers (chiller systems) and for fire suppression systems (sprinklers require water pressure). Make sure these systems have contingency plans – e.g., a water tank or alternative cooling method if city water fails.
- Monitoring: Monitor utility status. Many UPS systems can report power events; environmental monitors can detect temperature/humidity changes. Have alerts for utility failures so the team can respond quickly (for instance, knowing the air conditioning failed in a server room so you can power down servers before they fry).
- Physical protection of utility lines: This crosses with cabling security – protect power and telecom cables from being easily cut or damaged, especially those entering your building (e.g., ensure they’re underground or in secure conduits where possible).
Control 7.11 – Supporting utilities: To learn more about protecting critical utilities like power, HVAC, and connectivity that impact availability and safety, check out our Supporting Utilities page for an in-depth guide.
Control 7.12 Cabling Security
Control 7.12 concerns the protection of cables that carry power and data. Network and power cabling often runs throughout a building and even between buildings; if not secured, these cables could be tapped, damaged, or interfered with either deliberately or accidentally. The purpose is to prevent eavesdropping on network cables (which could compromise confidentiality) and to avoid outages or malfunctions due to cable damage or electrical interference. Securing cabling is a commonly overlooked aspect, but it’s crucial for sustaining the integrity and reliability of the IT infrastructure.
Implementation Best Practices
Best practices for cabling security include:
- Route cables in secure areas: Whenever possible, run important network cables above ceilings, within walls, or under floors where they aren’t accessible to the public. For cables that run outdoors or between buildings, bury them underground or at least run them through conduit that’s not easily reachable. Lock telecommunication rooms or demarcation points where outside lines enter.
- Prevent interception: Fiber optic cables are harder to tap than copper, but both should be protected. Use conduit or trunking for sensitive cabling to make physical access difficult. If particularly high-security, consider alarmed carrier systems that detect if a cable is cut or tampered. Also ensure patch panels or network ports in publicly accessible areas are secured or disabled to prevent unauthorized plugging in.
- Separate data and power cables: Follow cable management guidelines like keeping power cables separate from data cables to reduce electromagnetic interference. This is often done by using separate cable trays or conduits. Interference can corrupt data or cause network issues, so separation helps maintain signal integrity.
- Neat and labeled cabling: Organize cables with proper labeling and avoid spaghetti tangles. Not only is this good for maintenance, but as URM consultants note, messy cables can cause stress and even breakage over time. A tidy setup reduces the chance of accidental unplugging or tripping hazards that could yank cables out. It also helps quickly identify the right cable if troubleshooting or during emergency repairs.
- Regular inspection: Periodically inspect visible cable runs for wear, damage, or exposure. For instance, if you find a network cable running across a floor under a rug, that’s a risk – reroute it properly. Check that cable locks or cabinet locks are intact.
Control 7.12 – Cabling security: For a deeper explanation of securing power and network cabling against interception, tampering, or disruption.
Control 7.13 Equipment Maintenance
Control 7.13 requires that equipment vital to security and business operations be properly maintained. This includes not just IT systems but also security devices (alarms, CCTV cameras), environmental systems (HVAC, generators), and any other equipment that, if it failed, could impact information security. The purpose is to ensure everything works as intended when needed – for example, a broken lock or a failed fire alarm could lead to a security incident. Regular maintenance preserves the integrity and availability of controls and systems.
Implementation Best Practices
Key steps for equipment maintenance:
- Inventory Critical Equipment: Identify what equipment falls under this control. Typically: servers and network infrastructure, backup devices, security alarm panels, surveillance cameras, biometric readers, UPS and generators, fire detection/suppression systems, and environmental controls for secure areas.
- Maintenance Schedule: Establish schedules for preventative maintenance per manufacturer or industry guidelines. E.g., service the generator and change its oil every X hours of runtime or annually; test UPS batteries twice a year; inspect and clean CCTV cameras quarterly; calibrate environmental sensors, etc. Keep maintenance logs or records for each item.
- Service Level Agreements: If you outsource maintenance (e.g., a vendor maintains the fire alarm system or AC units), have clear SLAs and ensure they provide documentation of each service visit. Coordinate with building management if you rent space – e.g., the landlord may handle HVAC or power systems, but you should obtain evidence that those are maintained properly.
- Testing: In addition to vendor maintenance, do your own periodic testing of security systems. For instance, test that the backup generator actually kicks in, test door access systems fail-secure (or fail-safe) as designed, run fire alarm tests/drills. This will often be in conjunction with business continuity or safety drills.
- Timely Repairs: Have a procedure to report and fix any malfunctioning equipment. If an employee notices a door reader isn’t locking properly or a camera is offline, they should know how to alert IT or facilities immediately. Until fixed, consider interim measures (like a guard posted if an electronic lock fails).
- Documentation for Audit: Auditors may ask for proof of maintenance. Keep certificates or reports from vendors (e.g., annual fire system inspection report), and internal logs of routine checks.
Control 7.13 – Equipment maintenance: To learn more about maintenance procedures, service schedules, and audit‑friendly evidence for this control, visit our Equipment Maintenance page for full guidance.
Control 7.14 Secure Disposal or Re-Use of Equipment
The final physical control, 7.14, is about the secure disposal or reuse of equipment that may contain sensitive data. When devices (computers, servers, hard drives, USB sticks, printers with memory, etc.) reach end-of-life or are repurposed, they often still house confidential information. The purpose of this control is to prevent data leaks via discarded or reused equipment. Simply tossing an old hard drive in the trash or handing a used laptop to a new employee without wiping it could inadvertently give away personal data, customer information, or intellectual property.
Implementation Best Practices
A robust asset disposal process should include:
- Policy and Procedures: Define how various types of media and equipment should be disposed of or sanitized. For example, “All hard drives shall be wiped using [approved software] or degaussed before leaving company control; if not possible, they must be physically destroyed.” Include removable media and even paper documents in the scope (though paper disposal is typically covered under a different control, it aligns with this concept).
- Data Sanitization: Use methods appropriate to the sensitivity of data:
- For reuse internally (say reissuing a laptop to another employee), perform a full wipe of the drive and reinstall the OS from scratch. Ensure no residual data remains from the previous user.
- For disposal or external recycling, consider more permanent methods: cryptographic erasure (encrypt the drive and destroy keys), multiple-pass overwriting, degaussing (for magnetic media), or physical destruction (shredding, drilling, crushing drives).
- Inventory tracking: Integrate disposal with asset management. When an asset is taken out of service, update the inventory with its disposal status. Keep a record of what was done (e.g., “Laptop S/N 12345 – decommissioned on DATE – drive wiped with DoD 3-pass – sent to recycling vendor”). This demonstrates control and accountability.
- Third-Party Disposal: If using outside companies to haul away and destroy hardware, vet them for security (they should ideally be certified e-waste or shredding providers). Obtain certificates of destruction or detailed reports from them for audit evidence.
- Include all memory-bearing devices: Don’t forget things like copier/printer hard drives, network equipment that might have configuration data, or even IoT devices. All should be wiped or reset before disposal.
- Secure storage prior to disposal: Devices awaiting destruction or recycling should be kept in a secure location (locked room or container) until the deed is done. This prevents someone from scavenging a drive out of a pile of “to be disposed” equipment.
Control 7.14 – Secure disposal or re-use of equipment: For further details on secure wiping, destruction, reuse processes, and proof of disposal, explore our Secure Disposal or Re‑Use of Equipment page for a comprehensive deep dive.
Conclusion
ISO/IEC 27001:2022 Clause 7’s physical security controls are a cornerstone of a comprehensive security program.
They ensure that the physical foundations of information security – your buildings, hardware, and environmental safeguards – are solid and resilient.
Each of the 14 controls plays a role in defending against threats ranging from break-ins and insider snooping to fires and power outages